View

Cyber Security Procurement

Cyber Security Procurement

Date
October 7, 2023
Category
Procurement
Share

Cyber threats are no longer a distant concern for large enterprises. They are an immediate, quantifiable risk to every organisation, regardless of size or sector. The UK Government's Cyber Security Breaches Survey 2025 found that 43% of UK businesses reported experiencing a cyber security breach or attack in the past 12 months -- equivalent to approximately 612,000 companies nationwide. For medium businesses, the figure rises to 70%, and for large businesses, 74%.

The financial stakes are equally stark. The average cost of a cyber attack to a medium UK business was 10,830 £, while cybercrime costs UK businesses an estimated £21 billion per year overall. The NCSC managed 429 incidents in the last year, with 204 deemed nationally significant -- more than double the 89 recorded in the previous 12 months.

Against this backdrop, cyber security procurement has moved from a technical afterthought to a strategic imperative. The question is no longer whether to invest in cyber security, but how to invest wisely -- procuring solutions that genuinely reduce risk rather than simply adding complexity.

Understanding the Threat Landscape

Before you can procure effectively, you need to understand what you are defending against. The 2025 data paints a clear picture of where the threats originate.

External Threats

Phishing remains the dominant attack vector, accounting for 84% of breaches experienced by UK businesses. The estimated percentage of businesses experiencing ransomware attacks doubled from less than 0.5% in 2024 to 1% in 2025, equating to approximately 19,000 businesses. Identity-based attack attempts now dominate, accounting for 67.6% of incidents handled by the NCSC in Q2 2025.

Internal Threats

Many security incidents originate not from sophisticated external attacks but from internal behaviour -- employees using company devices for personal purposes, failing to update systems, accessing company materials from unsecured locations, or falling victim to social engineering. Security awareness training is essential, but it must be complemented by technical controls that limit the damage when human error inevitably occurs.

Supply Chain Threats

Perhaps the most challenging dimension of the modern threat landscape is supply chain risk. Only 14% of UK firms are properly managing the potential cyber risks faced by their immediate suppliers, yet 45% of organisations have experienced a third-party data or privacy breach in the past 12 months. The SolarWinds attack in 2020 and the MOVEit Transfer vulnerability in 2023 demonstrated how a single compromised supplier can affect hundreds of organisations, including UK government departments and NHS bodies.

The Less Is More Principle: Needs-Based Procurement

Faced with a growing threat landscape, many organisations respond by purchasing the latest security software indiscriminately. This creates its own problems. Each new solution requires secure integration with existing systems, staff training, and ongoing management. A cluttered security stack can actually increase your attack surface rather than reduce it.

Effective cyber security procurement should follow a needs-based approach:

1. Conduct a security risk assessment: Identify your organisation's specific vulnerabilities, critical assets, and threat profile before evaluating any solutions.

2. Map controls to frameworks: Use established frameworks such as NCSC Cyber Essentials, ISO 27001, or the NIST Cybersecurity Framework to identify the controls you need.

3. Assess existing coverage: Before buying new tools, determine whether your current solutions are being fully utilised. Often, existing platforms have capabilities that are not enabled or configured.

4. Prioritise high-impact investments: Focus spending on the controls that address your highest risks, not on the tools with the most impressive marketing.

Justifying Costs and Calculating ROI

Unlike many technology investments, cyber security procurement does not deliver a visible productivity uplift. Instead, it protects the organisation against quantifiable losses. This can make building the business case challenging, but the data is compelling.

The ROI Framework

Calculate cyber security ROI using this formula:

ROI = (Total Expected Risk Costs - Solution Costs) / Solution Costs

Where:

- Total expected risk costs include: the average cost of a breach for your business size (£10,830 for medium businesses), regulatory fines under UK GDPR and the Data Protection Act 2018, reputational damage and customer churn, operational downtime, and legal costs.

- Solution costs include: purchase price, implementation costs, training, ongoing licensing, and maintenance.

Three Approaches to Quantifying Risk

- Current threat analysis: Compare your existing breach costs and near-miss incidents against the lifecycle cost of the proposed solution.

- Regulatory compliance: Calculate the potential penalties for non-compliance with UK GDPR, NIS Regulations, or sector-specific requirements. The Information Commissioner's Office can impose fines of up to £17.5 million or 4% of annual global turnover.

- Stakeholder assessment: Assemble stakeholders from IT, operations, finance, and leadership to assess organisational risk appetite and agree on acceptable levels of residual risk.

Government spending on cybersecurity contracts increased from £262 million in 2019 to £931 million in 2024, reflecting a near-quadrupling in five years. This growth signals the public sector's recognition that cyber security investment is non-negotiable.

NCSC Cyber Essentials: The Procurement Baseline

The National Cyber Security Centre's Cyber Essentials scheme should form the foundation of your cyber security procurement strategy -- both for your own organisation and for your suppliers.

Cyber Essentials provides a tangible, efficient way for organisations to gain assurance that their suppliers have effectively implemented fundamental technical controls. The five core controls are:

1. Firewalls: Boundary firewalls and internet gateways configured to protect the network

2. Secure configuration: Devices and software configured to reduce vulnerabilities

3. Access control: User access restricted to what is needed for each role

4. Malware protection: Anti-malware measures deployed and maintained

5. Patch management: Software and devices kept up to date with security patches

Cyber Essentials in Procurement

The NCSC released a Supply Chain Playbook in 2025 emphasising the importance of embedding Cyber Essentials standards across procurement processes. Key recommendations include:

- Requiring Cyber Essentials or Cyber Essentials Plus certification from suppliers as a minimum standard

- Deploying the NCSC Supplier Check tool, which enables organisations to quickly verify which suppliers are certified and to what level

- Integrating cyber requirements into procurement frameworks from the outset rather than as an afterthought

The UK Government Cyber Security Strategy 2022-2030 promotes Cyber Essentials as a baseline to stimulate "informed demand," shifting procurement decisions away from lowest cost and prioritising cyber outcomes.

Supply Chain Cyber Risk Management

Your organisation's cyber security is only as strong as the weakest link in your supply chain. A structured approach to supply chain cyber risk management is essential.

Frameworks for Supply Chain Security

- ISO 27001:2022 provides updated organisational and technological controls that address third-party risk through enhanced requirements for supplier relationships and supply chain security.

- ISO 27036-2 is particularly relevant for procurement, specifying fundamental information security requirements for supplier and acquirer relationships.

- NIST Cybersecurity Framework 2.0, released in 2024, introduced a new GOVERN function with a specific Cybersecurity Supply Chain Risk Management category, requiring cyber supply chain risk management to be documented and integrated into the organisation's overall risk management approach.

A Practical Supplier Assessment Process

When evaluating suppliers, consider the following:

1. Certification check: Does the supplier hold Cyber Essentials, Cyber Essentials Plus, or ISO 27001 certification?

2. Security questionnaire: Issue a standardised cyber security questionnaire covering access controls, encryption, incident response, and business continuity.

3. Penetration testing: For high-risk suppliers, request evidence of recent penetration testing and vulnerability assessments.

4. Incident history: Ask about previous security incidents, how they were handled, and what improvements were made.

5. Sub-processor assessment: Understand who your supplier's suppliers are. Fourth-party risk is increasingly relevant.

6. Ongoing monitoring: Supplier cyber risk is not a one-time assessment. Establish regular review cycles and require notification of any material changes to the supplier's security posture.

Cyber Security Clauses in Procurement Contracts

In 2026, approximately 64% of organisations are expected to include cybersecurity clauses in procurement contracts. If your organisation is not among them, you are leaving yourself exposed.

Essential Cyber Security Contract Clauses

- Cyber Essentials certification requirement: Mandate a minimum certification level for all suppliers handling sensitive data or critical services.

- Breach notification timelines: Require suppliers to notify you of any security incident within a defined period (typically 24-72 hours).

- Incident response plans: Suppliers should maintain and share incident response plans detailing roles, responsibilities, and escalation procedures.

- Regular security assessments: Include the right to audit supplier security practices and require periodic penetration testing.

- Data handling and encryption standards: Specify minimum encryption standards for data at rest and in transit.

- Sub-contractor requirements: Require suppliers to flow down cyber security obligations to their sub-contractors.

- Security training obligations: Mandate that supplier staff handling your data receive regular security awareness training.

- Insurance requirements: Specify minimum cyber liability insurance coverage aligned with the contract value.

Emerging Threats: AI and Zero Trust

The cyber security landscape is evolving rapidly, and procurement decisions must account for emerging threats and defensive approaches.

AI-Driven Threats

AI-generated phishing attacks are becoming increasingly sophisticated and difficult to detect. Automated attack tools can now generate personalised phishing emails at scale, create convincing deepfake content, and identify vulnerabilities faster than human attackers. When procuring security solutions, assess whether they incorporate AI-driven detection capabilities that can match the sophistication of AI-powered threats.

Zero Trust Architecture

Zero trust -- the principle that no user, device, or network should be trusted by default -- is becoming a key consideration in cyber security procurement decisions. Vendors that fuse risk management, penetration testing, and reporting functionality enjoy a sizeable procurement advantage. When evaluating solutions, consider how they align with zero trust principles and whether they support identity verification, micro-segmentation, and continuous monitoring.

Building a Cyber Security Procurement Checklist

A structured procurement process reduces the risk of purchasing ineffective solutions or overlooking critical requirements. Your checklist should include:

- Completed risk assessment identifying specific threats and vulnerabilities

- Defined security requirements mapped to an established framework (Cyber Essentials, ISO 27001, NIST CSF)

- Market research covering at least three potential suppliers

- Supplier security posture assessment (certifications, incident history, penetration testing)

- Total cost of ownership calculation including implementation, training, licensing, and support

- Integration assessment with existing security infrastructure

- Contract clause review covering breach notification, audit rights, and incident response

- Implementation plan with defined milestones and success criteria

- Ongoing monitoring and review schedule

How Athena Commercial Can Help

Cyber security procurement requires both technical understanding and commercial expertise. Getting the balance wrong means either overspending on solutions that do not address your real risks or underspending and leaving your organisation exposed.

Athena Commercial helps organisations navigate the cyber security procurement landscape with confidence. Our services include technology contract review, market research and vendor evaluation, negotiation support, and project oversight from procurement through implementation. We ensure your cyber security investments deliver genuine protection and measurable value.

To discuss your cyber security procurement needs, visit www.athena-commercial.co.uk (add link - https://www.athena-commercial.co.uk) or contact our team directly.

Frequently Asked Questions

How much should my organisation spend on cyber security?

There is no universal benchmark, but your investment should be proportionate to your risk profile, the sensitivity of the data you hold, and your regulatory obligations. A risk-based approach -- assessing the cost of potential breaches against the cost of preventive measures -- will guide your budget more effectively than any industry average.

Is Cyber Essentials certification mandatory?

Cyber Essentials certification is mandatory for suppliers bidding for UK government contracts that involve handling sensitive or personal information. Beyond this, it is strongly recommended as a baseline for any organisation. The NCSC's Supply Chain Playbook encourages organisations to require Cyber Essentials from their own suppliers as part of procurement processes.

How do I assess a supplier's cyber security posture during procurement?

Start by verifying certifications (Cyber Essentials, ISO 27001). Issue a standardised security questionnaire covering access controls, encryption, incident response, and business continuity. For high-risk suppliers, request evidence of recent penetration testing and review their incident history. The NCSC Supplier Check tool can quickly confirm a supplier's Cyber Essentials certification status.

What are the key regulatory requirements for cyber security in the UK?

UK organisations must comply with UK GDPR and the Data Protection Act 2018 for personal data protection, the NIS Regulations for operators of essential services and digital service providers, and sector-specific requirements such as FCA rules for financial services or NHS Digital standards for healthcare. The Procurement Act 2023 has also introduced new transparency requirements that affect how cyber security is managed in public sector contracts.

How often should we review our cyber security procurement strategy?

At minimum, annually. However, significant triggers for review include changes in the threat landscape, new regulatory requirements, major security incidents (whether affecting your organisation or your sector), and changes in your supply chain. The pace of change in cyber security means that a strategy that was adequate 12 months ago may no longer be sufficient.
Related posts
No items found.